[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.1' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.994555] audit: type=1400 audit(1594550334.661:8): avc: denied { execmem } for pid=6439 comm="syz-executor444" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 38.085219] ================================================================== [ 38.085244] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xbaf/0xd10 [ 38.085251] Read of size 1 at addr ffff8880a0f818b0 by task syz-executor444/6439 [ 38.085253] [ 38.085261] CPU: 0 PID: 6439 Comm: syz-executor444 Not tainted 4.19.132-syzkaller #0 [ 38.085266] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.085268] Call Trace: [ 38.085280] dump_stack+0x1fc/0x2fe [ 38.085292] print_address_description.cold+0x54/0x219 [ 38.085301] kasan_report_error.cold+0x8a/0x1c7 [ 38.085307] ? bit_putcs+0xbaf/0xd10 [ 38.085315] __asan_report_load1_noabort+0x88/0x90 [ 38.085322] ? bit_putcs+0xbaf/0xd10 [ 38.085328] bit_putcs+0xbaf/0xd10 [ 38.085345] ? bit_cursor+0x1820/0x1820 [ 38.085357] ? fb_get_color_depth+0x11a/0x240 [ 38.085365] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 38.085375] ? bit_cursor+0x1820/0x1820 [ 38.085382] fbcon_putcs+0x336/0x4f0 [ 38.085393] do_update_region+0x399/0x630 [ 38.085403] ? con_get_trans_old+0x280/0x280 [ 38.085413] ? fbcon_set_palette+0x4d0/0x5f0 [ 38.085420] ? var_to_display+0x7f0/0x7f0 [ 38.085429] redraw_screen+0x5e1/0x870 [ 38.085437] ? wait_for_completion_io+0x10/0x10 [ 38.085444] ? vc_init+0x440/0x440 [ 38.085456] vc_do_resize+0x1132/0x1440 [ 38.085471] ? redraw_screen+0x870/0x870 [ 38.085480] ? lock_acquire+0x170/0x3c0 [ 38.085486] ? vt_ioctl+0x1e71/0x24d0 [ 38.085497] vt_ioctl+0x1f74/0x24d0 [ 38.085506] ? vt_waitactive+0x350/0x350 [ 38.085516] ? avc_has_extended_perms+0x86d/0xea0 [ 38.085525] ? __save_stack_trace+0xaf/0x190 [ 38.085534] ? avc_ss_reset+0x170/0x170 [ 38.085541] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 38.085550] ? tty_jobctrl_ioctl+0x4d/0xed0 [ 38.085557] ? vt_waitactive+0x350/0x350 [ 38.085564] tty_ioctl+0x5b0/0x15c0 [ 38.085573] ? do_sys_open+0x2ba/0x520 [ 38.085579] ? tty_fasync+0x300/0x300 [ 38.085587] ? mark_held_locks+0xf0/0xf0 [ 38.085599] ? debug_check_no_obj_freed+0x201/0x482 [ 38.085609] ? lock_downgrade+0x720/0x720 [ 38.085616] ? lock_acquire+0x170/0x3c0 [ 38.085623] ? tty_fasync+0x300/0x300 [ 38.085633] do_vfs_ioctl+0xcdb/0x12e0 [ 38.085642] ? selinux_file_ioctl+0x506/0x6c0 [ 38.085650] ? ioctl_preallocate+0x200/0x200 [ 38.085658] ? selinux_inode_link+0x20/0x20 [ 38.085666] ? putname+0xe1/0x120 [ 38.085674] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 38.085683] ? putname+0xe1/0x120 [ 38.085695] ksys_ioctl+0x9b/0xc0 [ 38.085704] __x64_sys_ioctl+0x6f/0xb0 [ 38.085712] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 38.085720] do_syscall_64+0xf9/0x620 [ 38.085729] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.085736] RIP: 0033:0x4403a9 [ 38.085744] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.085748] RSP: 002b:00007ffd6a7c56a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 38.085755] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403a9 [ 38.085760] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 38.085764] RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8 [ 38.085768] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 38.085772] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 38.085781] [ 38.085785] Allocated by task 6439: [ 38.085793] __kmalloc+0x15a/0x3c0 [ 38.085799] fbcon_set_font+0x34f/0x8a0 [ 38.085805] con_font_op+0xd02/0x10e0 [ 38.085811] vt_ioctl+0x116d/0x24d0 [ 38.085816] tty_ioctl+0x5b0/0x15c0 [ 38.085823] do_vfs_ioctl+0xcdb/0x12e0 [ 38.085829] ksys_ioctl+0x9b/0xc0 [ 38.085835] __x64_sys_ioctl+0x6f/0xb0 [ 38.085841] do_syscall_64+0xf9/0x620 [ 38.085848] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.085850] [ 38.085852] Freed by task 24: [ 38.085859] kfree+0xcc/0x210 [ 38.085864] release_one_tty+0x2dd/0x3f0 [ 38.085870] process_one_work+0x864/0x1570 [ 38.085876] worker_thread+0x64c/0x1130 [ 38.085882] kthread+0x30b/0x410 [ 38.085888] ret_from_fork+0x24/0x30 [ 38.085890] [ 38.085895] The buggy address belongs to the object at ffff8880a0f81680 [ 38.085895] which belongs to the cache kmalloc-1024 of size 1024 [ 38.085901] The buggy address is located 560 bytes inside of [ 38.085901] 1024-byte region [ffff8880a0f81680, ffff8880a0f81a80) [ 38.085904] The buggy address belongs to the page: [ 38.085911] page:ffffea000283e000 count:1 mapcount:0 mapping:ffff88812c39cac0 index:0x0 compound_mapcount: 0 [ 38.085918] flags: 0xfffe0000008100(slab|head) [ 38.085928] raw: 00fffe0000008100 ffffea00028db288 ffffea000282be08 ffff88812c39cac0 [ 38.085935] raw: 0000000000000000 ffff8880a0f80000 0000000100000007 0000000000000000 [ 38.085938] page dumped because: kasan: bad access detected [ 38.085940] [ 38.085942] Memory state around the buggy address: [ 38.085948] ffff8880a0f81780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.085953] ffff8880a0f81800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.085958] >ffff8880a0f81880: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.085961] ^ [ 38.085966] ffff8880a0f81900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.085971] ffff8880a0f81980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.085974] ================================================================== [ 38.085976] Disabling lock debugging due to kernel taint [ 38.085986] Kernel panic - not syncing: panic_on_warn set ... [ 38.085986] [ 38.085993] CPU: 0 PID: 6439 Comm: syz-executor444 Tainted: G B 4.19.132-syzkaller #0 [ 38.085997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.085998] Call Trace: [ 38.086006] dump_stack+0x1fc/0x2fe [ 38.086014] panic+0x26a/0x50e [ 38.086020] ? __warn_printk+0xf3/0xf3 [ 38.086027] ? lock_downgrade+0x720/0x720 [ 38.086035] ? print_shadow_for_address+0xb8/0x114 [ 38.086042] ? trace_hardirqs_on+0x55/0x210 [ 38.086050] kasan_end_report+0x43/0x49 [ 38.086056] kasan_report_error.cold+0xa7/0x1c7 [ 38.086062] ? bit_putcs+0xbaf/0xd10 [ 38.086068] __asan_report_load1_noabort+0x88/0x90 [ 38.086074] ? bit_putcs+0xbaf/0xd10 [ 38.086080] bit_putcs+0xbaf/0xd10 [ 38.086091] ? bit_cursor+0x1820/0x1820 [ 38.086099] ? fb_get_color_depth+0x11a/0x240 [ 38.086106] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 38.086114] ? bit_cursor+0x1820/0x1820 [ 38.086120] fbcon_putcs+0x336/0x4f0 [ 38.086128] do_update_region+0x399/0x630 [ 38.086136] ? con_get_trans_old+0x280/0x280 [ 38.086144] ? fbcon_set_palette+0x4d0/0x5f0 [ 38.086150] ? var_to_display+0x7f0/0x7f0 [ 38.086157] redraw_screen+0x5e1/0x870 [ 38.086163] ? wait_for_completion_io+0x10/0x10 [ 38.086170] ? vc_init+0x440/0x440 [ 38.086178] vc_do_resize+0x1132/0x1440 [ 38.086188] ? redraw_screen+0x870/0x870 [ 38.086195] ? lock_acquire+0x170/0x3c0 [ 38.086201] ? vt_ioctl+0x1e71/0x24d0 [ 38.086210] vt_ioctl+0x1f74/0x24d0 [ 38.086217] ? vt_waitactive+0x350/0x350 [ 38.086224] ? avc_has_extended_perms+0x86d/0xea0 [ 38.086231] ? __save_stack_trace+0xaf/0x190 [ 38.086239] ? avc_ss_reset+0x170/0x170 [ 38.086245] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 38.086252] ? tty_jobctrl_ioctl+0x4d/0xed0 [ 38.086258] ? vt_waitactive+0x350/0x350 [ 38.086265] tty_ioctl+0x5b0/0x15c0 [ 38.086271] ? do_sys_open+0x2ba/0x520 [ 38.086277] ? tty_fasync+0x300/0x300 [ 38.086292] ? mark_held_locks+0xf0/0xf0 [ 38.086301] ? debug_check_no_obj_freed+0x201/0x482 [ 38.086309] ? lock_downgrade+0x720/0x720 [ 38.086315] ? lock_acquire+0x170/0x3c0 [ 38.086321] ? tty_fasync+0x300/0x300 [ 38.086329] do_vfs_ioctl+0xcdb/0x12e0 [ 38.086336] ? selinux_file_ioctl+0x506/0x6c0 [ 38.086343] ? ioctl_preallocate+0x200/0x200 [ 38.086350] ? selinux_inode_link+0x20/0x20 [ 38.086356] ? putname+0xe1/0x120 [ 38.086363] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 38.086370] ? putname+0xe1/0x120 [ 38.086379] ksys_ioctl+0x9b/0xc0 [ 38.086387] __x64_sys_ioctl+0x6f/0xb0 [ 38.086394] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 38.086400] do_syscall_64+0xf9/0x620 [ 38.086408] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.086413] RIP: 0033:0x4403a9 [ 38.086419] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.086423] RSP: 002b:00007ffd6a7c56a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 38.086429] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403a9 [ 38.086433] RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004 [ 38.086437] RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8 [ 38.086440] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 38.086444] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 38.087607] Kernel Offset: disabled [ 38.937815] Rebooting in 86400 seconds..